Cross-site scripting (XSS) is one of the most common methods
hackers use to attack websites. XSS vulnerabilities permit a malicious user to
execute arbitrary chunks of JavaScript when other users visit your site.

XSS is the most common publicly reported security vulnerability, and part of
every hacker’s toolkit.

Risks

Prevalence

Common

Exploitability

Easy

Impact

Harmful

What could a determined hacker do when exploiting a XSS vulnerability?

XSS allows arbitrary execution of JavaScript code, so the damage that can be
done by an attacker depends on the sensitivity of the data being handled by your
site. Some of the things hackers have done by exploiting XSS:

Spreading worms on social media sites. Facebook, Twitter and YouTube have all been successfully attacked in this way.

Session hijacking. Malicious JavaScript may be able to send the session ID to a remote site under the hacker’s control, allowing the hacker to impersonate that user by hijacking a session in progress.

Identity theft. If the user enters confidential information such as credit card numbers into a compromised website, these details can be stolen using malicious JavaScript.